Amazon Strands Agents Tools
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Amazon Strands Agents Tools.
Recent Amazon Strands Agents Tools Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-07-15 | CVE-2026-15746 - Credential disclosure in Strands Agents Tools elasticsearch_memory tool | July 15, 2026 |
By the Year
In 2026 there have been 1 vulnerability in Amazon Strands Agents Tools with an average score of 6.5 out of ten.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 6.50 |
It may take a day or so for new Strands Agents Tools vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Amazon Strands Agents Tools Security Vulnerabilities
SSRF in Strands Agents Tools elasticsearch_memory (pre 0.7.0)
CVE-2026-15746
6.5 - Medium
- July 15, 2026
Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearch_memory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery (SSRF) issue in the elasticsearch_memory tool. The tool exposed its connection parameters (es_url, cloud_id, api_key) as fields the large language model (LLM) could control through the tool schema. When a caller omitted the api_key parameter, the tool fell back to the operator's ELASTICSEARCH_API_KEY environment variable and sent it to whichever host the LLM specified. A crafted prompt could cause the tool to connect to a threat-actor-controlled server and disclose the operator's Elasticsearch API key in the Authorization header. We recommend you upgrade to strands-agents-tools version 0.7.0 or later. As a precautionary measure, we recommend all operators rotate their ELASTICSEARCH_API_KEY, even if there is no indication the credential was exposed.
SSRF
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Amazon Strands Agents Tools or by Amazon? Click the Watch button to subscribe.